Impact
WordPress Werkstatt theme versions up to 4.8.3 contain a PHP Object Injection flaw that allows an attacker to inject serialized PHP objects during data processing. This weakness, identified as CWE-502, can lead to arbitrary code execution if the application unserializes untrusted input. An attacker could potentially upload malicious payloads, execute code on the server, and gain full control of the affected WordPress site.
Affected Systems
The vulnerability affects the Fuelthemes Werkstatt WordPress theme in all releases up to and including 4.8.3. Sites that have deployed any version of Werkstatt 4.8.3 or earlier remain exposed until the theme is updated.
Risk and Exploitability
The CVSS score for this issue is 8.8, indicating high severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote via crafted HTTP requests or file uploads that manipulate the theme’s input handling. Exploitation requires that the theme’s code unserializes user‑supplied data, which it currently does, making the flaw exploitable in a typical WordPress deployment.
OpenCVE Enrichment